{"uuid": "0ef9b03f-b59a-465c-91cf-38292c42bbbe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57890", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/1756", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-57890\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Prevent integer overflow issue\n\nIn the expression \"cmd.wqe_size * cmd.wr_count\", both variables are u32\nvalues that come from the user so the multiplication can lead to integer\nwrapping.  Then we pass the result to uverbs_request_next_ptr() which also\ncould potentially wrap.  The \"cmd.sge_count * sizeof(struct ib_uverbs_sge)\"\nmultiplication can also overflow on 32bit systems although it's fine on\n64bit systems.\n\nThis patch does two things.  First, I've re-arranged the condition in\nuverbs_request_next_ptr() so that the use controlled variable \"len\" is on\none side of the comparison by itself without any math.  Then I've modified\nall the callers to use size_mul() for the multiplications.\n\ud83d\udccf Published: 2025-01-15T13:05:42.690Z\n\ud83d\udccf Modified: 2025-01-15T13:05:42.690Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/c57721b24bd897338a81a0ca5fff41600f0f1ad1\n2. https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608\n3. https://git.kernel.org/stable/c/c2f961c46ea0e5274c5c320d007c2dd949cf627a\n4. https://git.kernel.org/stable/c/346db03e9926ab7117ed9bf19665699c037c773c\n5. https://git.kernel.org/stable/c/b92667f755749cf10d9ef1088865c555ae83ffb7\n6. https://git.kernel.org/stable/c/b3ef4ae713360501182695dd47d6b4f6e1a43eb8\n7. https://git.kernel.org/stable/c/d0257e089d1bbd35c69b6c97ff73e3690ab149a9", "creation_timestamp": "2025-01-15T14:26:39.000000Z"}